CentOS7安装OpenSSL1.1.1s
https://www.openssl.org/source/openssl-1.1.1s.tar.gz
tar -xzf openssl-1.1.1s.tar.gz
cd openssl-1.1.1s
./config --prefix=/usr
make && make install
ldconfig
查看当前版本
openssl version
OpenSSL 1.1.1s 1 Nov 2022二蛋 发布的文章
CentOS7平滑升级Nginx版本并启用TLS1.3
一、升级Nginx
查看当前OpenSSL版本
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
由于TLS1.3需要OpenSSL1.1.1及以上版本支持,如果版本过低,可参考升级OpenSSL版本
查看当前Nginx版本信息
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.21.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --add-module=../nginx_mod_h264_streaming-2.2.7 --with-pcre=../pcre-8.43 --with-zlib=../zlib-1.2.11 --user=www --group=www --with-http_flv_module --with-http_stub_status_module --with-threads --with-http_ssl_module --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_mp4_module --with-cc-opt=-O3
下载新版nginx、解压并进入解压后的目录
CentOS升级CMake
cd /usr/local/
wget https://github.com/Kitware/CMake/releases/download/v3.24.2/cmake-3.24.2-linux-x86_64.tar.gz
tar zxf cmake-3.24.2-linux-x86_64.tar.gz
mv cmake-3.24.2-linux-x86_64 cmake
mv /usr/bin/cmake /usr/bin/cmake.backup
ln -sf /usr/local/cmake/bin/cmake /usr/bin/cmakeCannot find a valid baseurl for repo: epel
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot find a valid baseurl for repo: epel
到处找原因,发现原因其实就是某一个repository不能用。
最后发现可能的原因是运行了yum install epel-release, 其实问题就出在这...
解决方案是
yum remove epel-release
yum update
yum install epel-releaselnmp安装ngx_waf模块
ngx_waf是一款方便且高性能的nginx防火墙模块,功能齐全,「网络应用防火墙」的基本功能都有。安装方便,大多数情况下你可以直接下载使用预构建的模块。使用便捷,配置指令简单易懂。规则灵活,提供高级规则,将动作(如拦截或放行)和多个条件表达式组合起来。
Github项目地址:https://github.com/ADD-SP/ngx_waf
功能特性
兼容 ModSecurity。
SQL 注入防护。
XSS 攻击防护。
支持 IPV4 和 IPV6。
支持开启验证码(CAPTCHA),支持hCaptcha、reCAPTCHAv2和reCAPTCHAv3。
支持识别友好爬虫(如 BaiduSpider)并自动放行(基于User-Agent和IP的识别)。
CC防御,超出限制后自动拉黑对应IP一段时间或者使用验证码做人机识别。
IP黑白名单,同时支持类似192.168.0.0/16和fe80::/10,即支持点分十进制和冒号十六进制表示法和网段划分。
POST 黑名单。
URL 黑白名单
查询字符串(Query String)黑名单。
UserAgent 黑名单。
Cookie 黑名单。
Referer 黑白名单。